From 2e25235d35fa5b65f6d1d0980ec45ff554253d0c Mon Sep 17 00:00:00 2001
From: Cole Faust <colefaust@google.com>
Date: Fri, 15 May 2026 17:52:47 -0700
Subject: [PATCH] Add --emit_sandbox_disabled

This will emit sandbox_disabled = true on every rule,
so that we can enable action sandboxing on soong+make builds,
but disable sandboxing for make actions across the board.
We're only focusing on soong actions right now.
---
 src-rs/flags.rs                   |  2 ++
 src-rs/ninja.rs                   |  3 ++
 src/flags.cc                      |  2 ++
 src/flags.h                       |  1 +
 src/ninja.cc                      |  3 ++
 testcase/emit_sandbox_disabled.sh | 46 +++++++++++++++++++++++++++++++
 6 files changed, 57 insertions(+)
 create mode 100644 testcase/emit_sandbox_disabled.sh

diff --git a/src-rs/flags.rs b/src-rs/flags.rs
index b8a91f19..4fd041bd 100644
--- a/src-rs/flags.rs
+++ b/src-rs/flags.rs
@@ -62,6 +62,7 @@ pub struct Flags {
     pub no_ninja_prelude: bool,
     pub use_ninja_phony_output: bool,
     pub use_ninja_validations: bool,
+    pub emit_sandbox_disabled: bool,
     pub werror_find_emulator: bool,
     pub werror_overriding_commands: bool,
     pub warn_implicit_rules: bool,
@@ -168,6 +169,7 @@ impl Flags {
                 b"--no_ninja_prelude" => flags.no_ninja_prelude = true,
                 b"--use_ninja_phony_output" => flags.use_ninja_phony_output = true,
                 b"--use_ninja_validations" => flags.use_ninja_validations = true,
+                b"--emit_sandbox_disabled" => flags.emit_sandbox_disabled = true,
                 b"--werror_find_emulator" => flags.werror_find_emulator = true,
                 b"--werror_overriding_commands" => flags.werror_overriding_commands = true,
                 b"--warn_implicit_rules" => flags.warn_implicit_rules = true,
diff --git a/src-rs/ninja.rs b/src-rs/ninja.rs
index a5e4a297..bc1e8f89 100644
--- a/src-rs/ninja.rs
+++ b/src-rs/ninja.rs
@@ -507,6 +507,9 @@ impl<'a> NinjaGenerator<'a> {
             if node.is_restat {
                 writeln!(out, " restat = 1")?;
             }
+            if FLAGS.emit_sandbox_disabled {
+                writeln!(out, " sandbox_disabled = true")?;
+            }
         }
 
         self.emit_build(nn, &node, rule_name, use_local_pool, out)
diff --git a/src/flags.cc b/src/flags.cc
index 37c8072c..35c0274e 100644
--- a/src/flags.cc
+++ b/src/flags.cc
@@ -189,6 +189,8 @@ void Flags::Parse(int argc, char** argv) {
       writable.push_back(writable_str);
     } else if (ParseCommandLineOptionWithArg("--default_pool", argv, &i,
                                              &default_pool)) {
+    } else if (!strcmp(arg, "--emit_sandbox_disabled")) {
+      emit_sandbox_disabled = true;
     } else if (arg[0] == '-') {
       ERROR("Unknown flag: %s", arg);
     } else {
diff --git a/src/flags.h b/src/flags.h
index 60103e1e..792d48ec 100644
--- a/src/flags.h
+++ b/src/flags.h
@@ -46,6 +46,7 @@ struct Flags {
   bool no_ninja_prelude;
   bool use_ninja_phony_output;
   bool use_ninja_validations;
+  bool emit_sandbox_disabled;
   bool werror_find_emulator;
   bool werror_overriding_commands;
   bool warn_implicit_rules;
diff --git a/src/ninja.cc b/src/ninja.cc
index b77b1021..cd3c6abd 100644
--- a/src/ninja.cc
+++ b/src/ninja.cc
@@ -471,6 +471,9 @@ class NinjaGenerator {
       if (node->is_restat) {
         out << " restat = 1\n";
       }
+      if (g_flags.emit_sandbox_disabled) {
+        out << " sandbox_disabled = true\n";
+      }
     }
 
     EmitBuild(nn, rule_name, use_local_pool, out);
diff --git a/testcase/emit_sandbox_disabled.sh b/testcase/emit_sandbox_disabled.sh
new file mode 100644
index 00000000..85267042
--- /dev/null
+++ b/testcase/emit_sandbox_disabled.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+#
+# Copyright 2026 Google Inc. All rights reserved
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -u
+
+mk="$@"
+
+cat <<EOF > Makefile
+test:
+	echo hello
+EOF
+
+if echo "${mk}" | grep -qv "kati"; then
+  # Make doesn't support --emit_sandbox_disabled.
+  echo "Default: sandbox_disabled NOT found"
+  echo "With flag: sandbox_disabled found"
+else
+  # 1. Default case
+  ${mk} --ninja > /dev/null
+  if grep -q "sandbox_disabled = true" build.ninja; then
+    echo "Default: sandbox_disabled found"
+  else
+    echo "Default: sandbox_disabled NOT found"
+  fi
+
+  # 2. With flag
+  ${mk} --ninja --emit_sandbox_disabled > /dev/null
+  if grep -q "sandbox_disabled = true" build.ninja; then
+    echo "With flag: sandbox_disabled found"
+  else
+    echo "With flag: sandbox_disabled NOT found"
+  fi
+fi